SFP Secondary Cluster: Unexpected Entry Points

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.


Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

Array Declared Public, Final, and Static

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

clone() Method Without super.clone()

The product contains a clone() method that does not call super.clone() to obtain the new object.

Critical Data Element Declared Public

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Critical Public Variable Without Final Modifier

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

finalize() Method Declared Public

The product violates secure coding principles for mobile code by declaring a finalize() method public.

finalize() Method Without super.finalize()

The product contains a finalize() method that does not call super.finalize().

Inclusion of Sensitive Information in Test Code

Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know a...

Public cloneable() Method Without Final ('Object Hijack')

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

Public Static Field Not Marked Final

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Struts: Non-private Field in ActionForm Class

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.


Software Fault Pattern (SFP) Clusters

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.